Embodiments of the present invention relate generally to the field of system and/or data security and more particularly to providing dynamic and/or conditional constraints on queries based on an external security policy.
Security policies for accessing computer systems or resources can be “hard-coded” into applications that control access to those systems or resources. For example, an application controlling access to a file or group of files can include code for authenticating and/or authorizing a user requesting to access a file. While effective, such an approach presents problems in that it is rather inflexible. That is, since the security policy is hard-coded into the application, changing the policy generally requires recoding and recompiling the source code of the application. For large systems, this can be time consuming and inefficient. Furthermore, code revisions present the possibility of new problems or bugs being introduced into the systems requiring time and effort to troubleshoot or creating new vulnerabilities for the system.
Recently, attempts to address some of these problems have been made with the introduction of externally configurable, i.e., dynamic, security policies that can be changed without modifying the application code. One example of an approach that provides an externally configurable security policy is the Java Authentication and Authorization Service (JAAS). As is known in the art, JAAS provides methods for controlling login, authentication, authorization and other access control functions. JAAS methods can use external configuration files in which a security policy can be defined. Applications using JAAS to control access to resources can pass the path of the configuration file to the JAAS runtime during JVM startup. In this way, the applications do not need to include code defining the security policy. Rather, the policy is defined externally and can be changed by modifying the configuration file without modifying the code of the application.
However, such an approach still has drawbacks. Primarily, the external configuration files and methods that use the files to control access to resources do not allow for conditional definitions in the security policy. That is, the statements in the configuration file grant particular users or groups of users permission to access particular resources or groups of resources. However, these statements do not allow for granting of such permission only if a condition is met. For example, a security policy may be desired in which managers are allowed to modify records of only those employees who report to that manager. A security policy defined in a JAAS configuration file cannot define a policy with such a condition. Rather, the configuration file would need to list exactly those files to which the manager could be granted access. Such a definition would require significant administrative overhead to manage and maintain as work assignments and employees change.
Furthermore, external security policies such as those defined in a JAAS policy provide no way of constraining database or other queries (e.g. LDAP, XML Repository, Application Metadata Repository, Web Services Directory, etc.). The typical use of JAAS for authorization involves the use of the checkPermission( ) method call to find out if the currently authenticated user is granted a specific permission in the statically-declared policy. Thus, in cases where retrievals of large data sets from backend repositories are needed and the data sets need to be secured, a typical application utilizing JAAS would first retrieve all data sets from the backend repository and then call checkPermission on each data set that is returned. This approach is highly undesirable because a high level of network overhead will be incurred as data sets will be returned as part of the query. Performance will be further degraded due to the numerous checkPermission method calls on each of the returned data set. Furthermore, security concerns will be created as the retrieved/cached data sets will need to be protected from malicious attacks both while on the network and while in the middle-tier cache.
Ideally, if the queries can be dynamically modified to only return the data sets that the currently authenticated user is authorized to retrieve, better performance, lower network and/or computation overhead, and better security in the middle-tier can be achieved. In such a case, once the data sets are returned, the application does not need to perform another authorization check on each of the returned data set as these data sets have been pre-determined by the query mechanism to be viewable or readable by the currently authenticated user. A hard-coded security policy can provide not only for conditional grants of permission, by can dynamically generate and/or constrain a query that is tailored to the permissions granted to a user requesting an access. However, external security policies do not provide this flexibility.
Hence, there is a need in the art for dynamic and/or conditional constraints on queries based on an external security policy.